In the face of rapidly growing cyber ­risk, the tools of insurance, i.e. risk management and shared learning, need to be rapidly grown and deployed. If society wishes to bring insurance to bear on helping to manage cyber ­risk, then cyber­-catastrophe reinsurance needs to be available for property damage, business interruption, and third party liabilities in order to remove blockages to rapid take­ up of cyber insurance by businesses.

The report analyses the nature and evidence of cyber ­risks, with a focus on cyber ­catastrophe events. The report explores how a public­-private cyber­ catastrophe reinsurance scheme could help secure ICT­based prosperity in the UK by helping insurers insure themselves to insure others. The scheme would provide cover to a group of insurers above a catastrophic loss threshold, in effect a pool funded by the insurance industry.

The UK government's role would be one of promotion and (possibly) a last resort insurer only in the event that industry retentions and the scheme's reserves have been exhausted. In all likelihood, the UK government would be a last resort insurer anyway but in this way it would benefit from a buffer much deeper than the one it enjoys today.

Key recommendations:

the scheme should provide more standardised wordings linking cyber­ catastrophe to the policies members write, and more standardised data collection for analytical purposes;

the scheme should promote the use and evolution through learning of ICT security and risk management standards such as Cyber Essentials, ISO 27000, NIST, or CESG's 10 Steps;

members should jointly seek reinsurance for a cyber­-catastrophe, including consideration of cyber­-catastrophe linked securities; government should facilitate, but not underwrite, the scheme's reinsurance ­ government oversight could help the issuance of cyber­ catastrophe linked bonds;

government and regulators should strongly encourage cyber insurance for essential services and critical national infrastructure including financial services, and incorporate cyber insurance in government procurement processes, e.g. requirement to purchase if unable to show appropriate management or retentions.

This report is the outcome of a Long Finance research project carried out by Z/Yen Group between May and July 2015 and co-­sponsored by APM Group (more information).

The research involved 80 interviews and two events with professionals working in insurance and reinsurance as well as government, academia and civil society.

At the launch held on 27th July at the City Centre, Professor Michael Mainelli presented the findings from the report, followed by a panel discussion with Tom Bolt (Lloyd's), Martin Huddleston (Dstl), Commissioner Adrian Leppard (City of London Police) and chaired by Hugh Morris (Tori Global).

Richard Pharro, CEO at APM Group said: We are now dependent on electronic networks which define our economy, infrastructure and day­ to­day lives. The issue of cyber­security is fast moving towards a high stakes game for everyone, so it is entirely appropriate that we take robust steps towards putting the UK on a secure cyber footing. It is with everyone's prosperity and safety in mind that a public­private reinsurance scheme be considered to add certainty to UK plc cyber resilience. Whilst providing support for our economy against future threats an initiative such as this would raise general awareness about cyber security in the Board room.

Commissioner Adrian Leppard, the UK national policing lead for Fraud and Cyber said: Cyber insurance has a vital role to play in helping to keep society safe from the growing threat we are facing. Traditional enforcement methods have limited impact in this area and better standards for information security endorsed through comprehensive insurance models are an important means of creating a safer world for our communities.

Professor Michael Mainelli, Executive Chairman of Z/Yen and a co­author said: Historically, insurance has taught society how to handle risks from fire to workplace safety, road accidents, and life itself. To increase the rate of learning about cyber risk, society needs to increase the rate of cyber cover. A public­private cyber reinsurance scheme should be measured on how rapidly it helps us learn how to deal with the cyber­ threats to our economic prosperity.

You might also like ...

When considering data protection, data losses tend to spring to mind. However, this year, the risks of holding data for too long have been at the fore.

The recently publicised "right to be forgotten" case saw the European Court of Justice rule that Google Spain was a data controller due to its capacity to find, index, store and make information available to the public on its website.